IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
DNS Tunneling
editDNS Tunneling
editDetects unusually large numbers of DNS queries for a single top-level DNS
domain, which is often used for DNS tunneling. DNS tunneling can be used for
command-and-control, persistence, or data exfiltration activity. For example,
dnscat
tends to generate many DNS questions for a top-level domain as it uses
the DNS protocol to tunnel data.
Rule type: machine_learning
Machine learning job: packetbeat_dns_tunneling
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
References:
Tags:
- Elastic
- ML
- Packetbeat
Version: 1
Added (Elastic Stack release): 7.7.0
Potential false positives
editDNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this signal and such parent domains can be excluded.